MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09c17e71a2bdb6aec337f54c48b4e5121fdc753127f8f3ea425b11ce4e2a2dbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


LummaStealer


Vendor detections: 16


Intelligence 16 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09c17e71a2bdb6aec337f54c48b4e5121fdc753127f8f3ea425b11ce4e2a2dbd
SHA3-384 hash: c078a9f03253632ef34d023993e55c29ca94b69049eb520cc7c06a391e9e2977077fd54189cda977a492aff95937f19b
SHA1 hash: 85b6649e313449bec768c5f41980d15d106bd278
MD5 hash: c8eb2d44b177c838b1b381d7480f8f6a
humanhash: saturn-fish-failed-delta
File name:random.exe
Download: download sample
Signature LummaStealer
Create hunting rule
File size:1'875'968 bytes
First seen:2025-06-03 06:27:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:c++2FOreOlkrS47dMJFCuaX+lc0yZcnsRL:Dp86Ekm4JjZ+l9ekSL
TLSH T17D95332F7796B71ECC306BB26AD3D4513BBDE48A04916A564FCFA93809C35CC16142BB
TrID 42.7% (.EXE) Win32 Executable (generic) (4504/4/1)
19.2% (.EXE) OS/2 Executable (generic) (2029/13)
19.0% (.EXE) Generic Win/DOS Executable (2002/3)
18.9% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe LummaStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
407
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-06-03 07:20:47 UTC
Tags:
lumma stealer themida amadey botnet loader rat quasar remote stealc evasion github rdp delphi auto-reg pastebin ultravnc rmm-tool telegram vidar
Link:
https://app.any.run/tasks/d2096853-ec88-43c4-a4d7-3067bffe4f82

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/6978/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683e96f68bd5d68a12e43e0b
Tags:
vmdetect phishing autorun
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Connection attempt to an infection source
DNS request
Connection attempt
Sending an HTTP GET request
Behavior that indicates a threat
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt packed packed packer_detected xpack
Link:
https://www.filescan.io/uploads/683e9624e336a33801e22706/reports/f135c127-91ed-4293-9f77-a969e2c8f600/overview
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/09c17e71a2bdb6aec337f54c48b4e5121fdc753127f8f3ea425b11ce4e2a2dbd
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/e5c5a027-3089-48d2-8e5f-61edf814cb9e
Result
Threat name:
Amadey, AsyncRAT, LummaC Stealer, Quasar, ACR Stealer, HTMLPhish
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine.phis
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1704590
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Detected unpacking (changes PE section rights)
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries Google from non browser process on port 80
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Uses dynamic DNS services
Uses known network protocols on non-standard ports
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected AsyncRAT
Yara detected LummaC Stealer
Yara detected Quasar RAT
Yara detected Stealc v2
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1704590 Sample: random.exe Startdate: 03/06/2025 Architecture: WINDOWS Score: 100 90 downloadtech.duckdns.org 2->90 92 acoustpbns.run 2->92 94 33 other IPs or domains 2->94 128 Suricata IDS alerts for network traffic 2->128 130 Found malware configuration 2->130 132 Malicious sample detected (through community Yara rule) 2->132 136 19 other signatures 2->136 12 random.exe 1 2->12         started        17 ramez.exe 2->17         started        19 ramez.exe 2->19         started        21 3 other processes 2->21 signatures3 134 Uses dynamic DNS services 90->134 process4 dnsIp5 110 185.156.72.2, 49710, 49714, 49716 ITDELUXE-ASRU Russian Federation 12->110 112 korxddl.top 195.82.147.188, 443, 49692, 49693 DREAMTORRENT-CORP-ASRU Russian Federation 12->112 114 2 other IPs or domains 12->114 76 C:\Users\user\...\02H6KAJ61BP4ZU55V40G.exe, PE32 12->76 dropped 186 Detected unpacking (changes PE section rights) 12->186 188 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->188 190 Query firmware table information (likely to detect VMs) 12->190 202 4 other signatures 12->202 23 02H6KAJ61BP4ZU55V40G.exe 4 12->23         started        192 Contains functionality to start a terminal service 17->192 194 Hides threads from debuggers 17->194 196 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->196 198 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 19->198 78 C:\Program Files (x86)\...\vcruntime140.dll, PE32 21->78 dropped 80 C:\...\FagvCUKkFFMUopJ.exe, PE32+ 21->80 dropped 200 Found direct / indirect Syscall (likely to bypass EDR) 21->200 27 msiexec.exe 21->27         started        file6 signatures7 process8 file9 72 C:\Users\user\AppData\Local\...\ramez.exe, PE32 23->72 dropped 176 Antivirus detection for dropped file 23->176 178 Detected unpacking (changes PE section rights) 23->178 180 Contains functionality to start a terminal service 23->180 182 6 other signatures 23->182 29 ramez.exe 4 39 23->29         started        34 cmd.exe 27->34         started        signatures10 process11 dnsIp12 116 185.156.72.96, 49712, 49713, 49715 ITDELUXE-ASRU Russian Federation 29->116 118 77.83.207.69 DINET-ASRU Russian Federation 29->118 82 C:\Users\user\AppData\Local\...\Bwwn8Qr.exe, PE32+ 29->82 dropped 84 C:\Users\user\AppData\Local\...\lJxkfuT.exe, PE32+ 29->84 dropped 86 C:\Users\user\AppData\Local\...\3Svu0S9.exe, PE32 29->86 dropped 88 11 other malicious files 29->88 dropped 204 Antivirus detection for dropped file 29->204 206 Detected unpacking (changes PE section rights) 29->206 208 Contains functionality to start a terminal service 29->208 210 6 other signatures 29->210 36 7Mnq9mr.exe 29->36         started        40 1e09ce49eb.exe 29->40         started        43 08IyOOF.exe 29->43         started        49 4 other processes 29->49 45 conhost.exe 34->45         started        47 FagvCUKkFFMUopJ.exe 34->47         started        file13 signatures14 process15 dnsIp16 96 41.216.182.65, 49719, 80 AS40676US South Africa 36->96 138 Antivirus detection for dropped file 36->138 140 Multi AV Scanner detection for dropped file 36->140 142 Detected unpacking (changes PE section rights) 36->142 158 4 other signatures 36->158 51 chrome.exe 36->51         started        98 ip-api.com 208.95.112.1 TUT-ASUS United States 40->98 100 185.208.159.226 SIMPLECARRER2IT Switzerland 40->100 102 raw.githubusercontent.com 185.199.111.133 FASTLYUS Netherlands 40->102 74 C:\Users\user\AppData\...\Task_Manager.exe, PE32+ 40->74 dropped 144 Tries to evade debugger and weak emulator (self modifying code) 40->144 160 2 other signatures 40->160 53 cmd.exe 40->53         started        146 Writes to foreign memory regions 43->146 148 Allocates memory in foreign processes 43->148 150 Injects a PE file into a foreign processes 43->150 56 MSBuild.exe 43->56         started        58 conhost.exe 43->58         started        104 downloadtech.duckdns.org 176.65.142.99, 49717, 5052 WEBTRAFFICDE Germany 49->104 106 interconstructionsite.pro 104.21.29.234 CLOUDFLARENETUS United States 49->106 108 ipwho.is 108.181.98.179, 443, 49721 ASN852CA Canada 49->108 152 Found many strings related to Crypto-Wallets (likely being stolen) 49->152 154 Tries to harvest and steal browser information (history, passwords, etc) 49->154 156 Queries memory information (via WMI often done to detect virtual machines) 49->156 162 3 other signatures 49->162 file17 signatures18 process19 signatures20 164 Uses ping.exe to sleep 53->164 166 Uses ping.exe to check the status of other devices and networks 53->166 60 cmd.exe 53->60         started        63 conhost.exe 53->63         started        168 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 56->168 170 Query firmware table information (likely to detect VMs) 56->170 172 Tries to harvest and steal ftp login credentials 56->172 174 3 other signatures 56->174 process21 signatures22 184 Uses ping.exe to sleep 60->184 65 Task_Manager.exe 60->65         started        68 conhost.exe 60->68         started        70 PING.EXE 60->70         started        process23 signatures24 120 Antivirus detection for dropped file 65->120 122 Detected unpacking (changes PE section rights) 65->122 124 Tries to detect sandboxes and other dynamic analysis tools (window names) 65->124 126 2 other signatures 65->126
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/09c17e71a2bdb6aec337f54c48b4e5121fdc753127f8f3ea425b11ce4e2a2dbd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09c17e71a2bdb6aec337f54c48b4e5121fdc753127f8f3ea425b11ce4e2a2dbd/
Threat name:
Win32.Trojan.Multiverze
Create hunting rule
Status:
Malicious
First seen:
2025-06-02 15:41:22 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bhax44ncxw3k5qzx6vgernhfcip5y5jre74ph2sclmi44trkfw6q._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
amadey
Create hunting rule
Similar samples:
error
LummaStealer
Result
Malware family:
lumma
Create hunting rule
Score:
  10/10
Tags:
family:lumma defense_evasion discovery spyware stealer
Link:
https://tria.ge/reports/250603-g8e2raywdw/
Behaviour
Suspicious behavior: EnumeratesProcesses
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Checks BIOS information in registry
Identifies Wine through registry keys
Reads user/profile data of local email clients
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Lumma Stealer, LummaC
Lumma family
Malware Config
C2 Extraction:
https://battlefled.top/gaoi
https://narrathfpt.top/tekq
https://escczlv.top/bufi
https://localixbiw.top/zlpa
https://korxddl.top/qidz
https://tinklertjp.bet/nzaf
https://diecam.top/laur/api
https://citellcagt.top/gjtu
https://witchdbhy.run/pzal
Verdict:
Malicious
Tags:
doh
YARA:
n/a
Link:
https://app.threat.zone/submission/2576d2ae-71a4-49ee-a7a1-b9e75d54a9fd
Unpacked files
SH256 hash:
09c17e71a2bdb6aec337f54c48b4e5121fdc753127f8f3ea425b11ce4e2a2dbd
MD5 hash:
c8eb2d44b177c838b1b381d7480f8f6a
SHA1 hash:
85b6649e313449bec768c5f41980d15d106bd278
Link:
https://www.unpac.me/results/64dc4858-1dc3-4236-a014-a76eae127a3f/
SH256 hash:
150481d7d063d521e3dd82155ea0740a906edb432febd61bc79a1cd3161212fc
MD5 hash:
10e8944cf4c94aed5c7fda45dfbe38a7
SHA1 hash:
eb3e01f21ab91f8ca02fee1404b4307e5cbfd12d
Link:
https://www.unpac.me/results/64dc4858-1dc3-4236-a014-a76eae127a3f/
Malware family:
Lumma
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/09c17e71a2bd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/09c17e71a2bdb6aec337f54c48b4e5121fdc753127f8f3ea425b11ce4e2a2dbd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

LummaStealer

Executable exe 09c17e71a2bdb6aec337f54c48b4e5121fdc753127f8f3ea425b11ce4e2a2dbd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3542096/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/6978/

Comments